From: Boris Brezillon <boris.brezillon@collabora.com>
To: Daniel Vetter <daniel.vetter@ffwll.ch>
Cc: "Joonyoung Shim" <jy0922.shim@samsung.com>,
piotr.oniszczuk@gmail.com,
"Daniel Vetter" <daniel.vetter@intel.com>,
"Seung-Woo Kim" <sw0312.kim@samsung.com>,
"Kyungmin Park" <kyungmin.park@samsung.com>,
"DRI Development" <dri-devel@lists.freedesktop.org>,
"Gerd Hoffmann" <kraxel@redhat.com>,
"Thomas Zimmermann" <tzimmermann@suse.de>,
"Russell King" <linux+etnaviv@armlinux.org.uk>,
stable@vger.kernel.org, linux-media@vger.kernel.org,
linaro-mm-sig@lists.linaro.org,
"Christian König" <christian.koenig@amd.com>
Subject: Re: [PATCH] drm/shme-helpers: Fix dma_buf_mmap forwarding bug
Date: Wed, 28 Oct 2020 09:44:15 +0100 [thread overview]
Message-ID: <20201028094415.7a7782b8@collabora.com> (raw)
In-Reply-To: <20201027214922.3566743-1-daniel.vetter@ffwll.ch>
On Tue, 27 Oct 2020 22:49:22 +0100
Daniel Vetter <daniel.vetter@ffwll.ch> wrote:
> When we forward an mmap to the dma_buf exporter, they get to own
> everything. Unfortunately drm_gem_mmap_obj() overwrote
> vma->vm_private_data after the driver callback, wreaking the
> exporter complete. This was noticed because vb2_common_vm_close blew
> up on mali gpu with panfrost after commit 26d3ac3cb04d
> ("drm/shmem-helpers: Redirect mmap for imported dma-buf").
>
> Unfortunately drm_gem_mmap_obj also acquires a surplus reference that
> we need to drop in shmem helpers, which is a bit of a mislayer
> situation. Maybe the entire dma_buf_mmap forwarding should be pulled
> into core gem code.
>
> Note that the only two other drivers which forward mmap in their own
> code (etnaviv and exynos) get this somewhat right by overwriting the
> gem mmap code. But they seem to still have the leak. This might be a
> good excuse to move these drivers over to shmem helpers completely.
>
> Note to stable team: There's a trivial context conflict with
> d693def4fd1c ("drm: Remove obsolete GEM and PRIME callbacks from
> struct drm_driver"). I'm assuming it's clear where to put the first
> hunk, otherwise I can send a 5.9 version of this.
>
> Cc: Christian König <christian.koenig@amd.com>
> Cc: Sumit Semwal <sumit.semwal@linaro.org>
> Cc: Lucas Stach <l.stach@pengutronix.de>
> Cc: Russell King <linux+etnaviv@armlinux.org.uk>
> Cc: Christian Gmeiner <christian.gmeiner@gmail.com>
> Cc: Inki Dae <inki.dae@samsung.com>
> Cc: Joonyoung Shim <jy0922.shim@samsung.com>
> Cc: Seung-Woo Kim <sw0312.kim@samsung.com>
> Cc: Kyungmin Park <kyungmin.park@samsung.com>
> Fixes: 26d3ac3cb04d ("drm/shmem-helpers: Redirect mmap for imported dma-buf")
> Cc: Boris Brezillon <boris.brezillon@collabora.com>
Reviewed-by: Boris Brezillon <boris.brezillon@collabora.com>
> Cc: Thomas Zimmermann <tzimmermann@suse.de>
> Cc: Gerd Hoffmann <kraxel@redhat.com>
> Cc: Rob Herring <robh@kernel.org>
> Cc: dri-devel@lists.freedesktop.org
> Cc: linux-media@vger.kernel.org
> Cc: linaro-mm-sig@lists.linaro.org
> Cc: <stable@vger.kernel.org> # v5.9+
> Reported-and-tested-by: piotr.oniszczuk@gmail.com
> Cc: piotr.oniszczuk@gmail.com
> Signed-off-by: Daniel Vetter <daniel.vetter@intel.com>
> ---
> drivers/gpu/drm/drm_gem.c | 4 ++--
> drivers/gpu/drm/drm_gem_shmem_helper.c | 7 ++++++-
> 2 files changed, 8 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/gpu/drm/drm_gem.c b/drivers/gpu/drm/drm_gem.c
> index 1da67d34e55d..d586068f5509 100644
> --- a/drivers/gpu/drm/drm_gem.c
> +++ b/drivers/gpu/drm/drm_gem.c
> @@ -1076,6 +1076,8 @@ int drm_gem_mmap_obj(struct drm_gem_object *obj, unsigned long obj_size,
> */
> drm_gem_object_get(obj);
>
> + vma->vm_private_data = obj;
> +
> if (obj->funcs->mmap) {
> ret = obj->funcs->mmap(obj, vma);
> if (ret) {
> @@ -1096,8 +1098,6 @@ int drm_gem_mmap_obj(struct drm_gem_object *obj, unsigned long obj_size,
> vma->vm_page_prot = pgprot_decrypted(vma->vm_page_prot);
> }
>
> - vma->vm_private_data = obj;
> -
> return 0;
> }
> EXPORT_SYMBOL(drm_gem_mmap_obj);
> diff --git a/drivers/gpu/drm/drm_gem_shmem_helper.c b/drivers/gpu/drm/drm_gem_shmem_helper.c
> index fb11df7aced5..8233bda4692f 100644
> --- a/drivers/gpu/drm/drm_gem_shmem_helper.c
> +++ b/drivers/gpu/drm/drm_gem_shmem_helper.c
> @@ -598,8 +598,13 @@ int drm_gem_shmem_mmap(struct drm_gem_object *obj, struct vm_area_struct *vma)
> /* Remove the fake offset */
> vma->vm_pgoff -= drm_vma_node_start(&obj->vma_node);
>
> - if (obj->import_attach)
> + if (obj->import_attach) {
> + /* Drop the reference drm_gem_mmap_obj() acquired.*/
> + drm_gem_object_put(obj);
> + vma->vm_private_data = NULL;
> +
> return dma_buf_mmap(obj->dma_buf, vma, 0);
> + }
>
> shmem = to_drm_gem_shmem_obj(obj);
>
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel
WARNING: multiple messages have this Message-ID (diff)
From: Boris Brezillon <boris.brezillon@collabora.com>
To: Daniel Vetter <daniel.vetter@ffwll.ch>
Cc: "DRI Development" <dri-devel@lists.freedesktop.org>,
"Christian König" <christian.koenig@amd.com>,
"Sumit Semwal" <sumit.semwal@linaro.org>,
"Lucas Stach" <l.stach@pengutronix.de>,
"Russell King" <linux+etnaviv@armlinux.org.uk>,
"Christian Gmeiner" <christian.gmeiner@gmail.com>,
"Inki Dae" <inki.dae@samsung.com>,
"Joonyoung Shim" <jy0922.shim@samsung.com>,
"Seung-Woo Kim" <sw0312.kim@samsung.com>,
"Kyungmin Park" <kyungmin.park@samsung.com>,
"Thomas Zimmermann" <tzimmermann@suse.de>,
"Gerd Hoffmann" <kraxel@redhat.com>,
"Rob Herring" <robh@kernel.org>,
linux-media@vger.kernel.org, linaro-mm-sig@lists.linaro.org,
stable@vger.kernel.org, piotr.oniszczuk@gmail.com,
"Daniel Vetter" <daniel.vetter@intel.com>
Subject: Re: [PATCH] drm/shme-helpers: Fix dma_buf_mmap forwarding bug
Date: Wed, 28 Oct 2020 09:44:15 +0100 [thread overview]
Message-ID: <20201028094415.7a7782b8@collabora.com> (raw)
In-Reply-To: <20201027214922.3566743-1-daniel.vetter@ffwll.ch>
On Tue, 27 Oct 2020 22:49:22 +0100
Daniel Vetter <daniel.vetter@ffwll.ch> wrote:
> When we forward an mmap to the dma_buf exporter, they get to own
> everything. Unfortunately drm_gem_mmap_obj() overwrote
> vma->vm_private_data after the driver callback, wreaking the
> exporter complete. This was noticed because vb2_common_vm_close blew
> up on mali gpu with panfrost after commit 26d3ac3cb04d
> ("drm/shmem-helpers: Redirect mmap for imported dma-buf").
>
> Unfortunately drm_gem_mmap_obj also acquires a surplus reference that
> we need to drop in shmem helpers, which is a bit of a mislayer
> situation. Maybe the entire dma_buf_mmap forwarding should be pulled
> into core gem code.
>
> Note that the only two other drivers which forward mmap in their own
> code (etnaviv and exynos) get this somewhat right by overwriting the
> gem mmap code. But they seem to still have the leak. This might be a
> good excuse to move these drivers over to shmem helpers completely.
>
> Note to stable team: There's a trivial context conflict with
> d693def4fd1c ("drm: Remove obsolete GEM and PRIME callbacks from
> struct drm_driver"). I'm assuming it's clear where to put the first
> hunk, otherwise I can send a 5.9 version of this.
>
> Cc: Christian König <christian.koenig@amd.com>
> Cc: Sumit Semwal <sumit.semwal@linaro.org>
> Cc: Lucas Stach <l.stach@pengutronix.de>
> Cc: Russell King <linux+etnaviv@armlinux.org.uk>
> Cc: Christian Gmeiner <christian.gmeiner@gmail.com>
> Cc: Inki Dae <inki.dae@samsung.com>
> Cc: Joonyoung Shim <jy0922.shim@samsung.com>
> Cc: Seung-Woo Kim <sw0312.kim@samsung.com>
> Cc: Kyungmin Park <kyungmin.park@samsung.com>
> Fixes: 26d3ac3cb04d ("drm/shmem-helpers: Redirect mmap for imported dma-buf")
> Cc: Boris Brezillon <boris.brezillon@collabora.com>
Reviewed-by: Boris Brezillon <boris.brezillon@collabora.com>
> Cc: Thomas Zimmermann <tzimmermann@suse.de>
> Cc: Gerd Hoffmann <kraxel@redhat.com>
> Cc: Rob Herring <robh@kernel.org>
> Cc: dri-devel@lists.freedesktop.org
> Cc: linux-media@vger.kernel.org
> Cc: linaro-mm-sig@lists.linaro.org
> Cc: <stable@vger.kernel.org> # v5.9+
> Reported-and-tested-by: piotr.oniszczuk@gmail.com
> Cc: piotr.oniszczuk@gmail.com
> Signed-off-by: Daniel Vetter <daniel.vetter@intel.com>
> ---
> drivers/gpu/drm/drm_gem.c | 4 ++--
> drivers/gpu/drm/drm_gem_shmem_helper.c | 7 ++++++-
> 2 files changed, 8 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/gpu/drm/drm_gem.c b/drivers/gpu/drm/drm_gem.c
> index 1da67d34e55d..d586068f5509 100644
> --- a/drivers/gpu/drm/drm_gem.c
> +++ b/drivers/gpu/drm/drm_gem.c
> @@ -1076,6 +1076,8 @@ int drm_gem_mmap_obj(struct drm_gem_object *obj, unsigned long obj_size,
> */
> drm_gem_object_get(obj);
>
> + vma->vm_private_data = obj;
> +
> if (obj->funcs->mmap) {
> ret = obj->funcs->mmap(obj, vma);
> if (ret) {
> @@ -1096,8 +1098,6 @@ int drm_gem_mmap_obj(struct drm_gem_object *obj, unsigned long obj_size,
> vma->vm_page_prot = pgprot_decrypted(vma->vm_page_prot);
> }
>
> - vma->vm_private_data = obj;
> -
> return 0;
> }
> EXPORT_SYMBOL(drm_gem_mmap_obj);
> diff --git a/drivers/gpu/drm/drm_gem_shmem_helper.c b/drivers/gpu/drm/drm_gem_shmem_helper.c
> index fb11df7aced5..8233bda4692f 100644
> --- a/drivers/gpu/drm/drm_gem_shmem_helper.c
> +++ b/drivers/gpu/drm/drm_gem_shmem_helper.c
> @@ -598,8 +598,13 @@ int drm_gem_shmem_mmap(struct drm_gem_object *obj, struct vm_area_struct *vma)
> /* Remove the fake offset */
> vma->vm_pgoff -= drm_vma_node_start(&obj->vma_node);
>
> - if (obj->import_attach)
> + if (obj->import_attach) {
> + /* Drop the reference drm_gem_mmap_obj() acquired.*/
> + drm_gem_object_put(obj);
> + vma->vm_private_data = NULL;
> +
> return dma_buf_mmap(obj->dma_buf, vma, 0);
> + }
>
> shmem = to_drm_gem_shmem_obj(obj);
>
next prev parent reply other threads:[~2020-10-28 8:44 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-10-27 21:49 [PATCH] drm/shme-helpers: Fix dma_buf_mmap forwarding bug Daniel Vetter
2020-10-27 21:49 ` Daniel Vetter
2020-10-28 8:44 ` Boris Brezillon [this message]
2020-10-28 8:44 ` Boris Brezillon
2020-10-28 10:17 ` Daniel Vetter
2020-10-28 10:17 ` Daniel Vetter
2020-10-28 9:57 ` [Linaro-mm-sig] " Christian König
2020-10-28 9:57 ` Christian König
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201028094415.7a7782b8@collabora.com \
--to=boris.brezillon@collabora.com \
--cc=christian.koenig@amd.com \
--cc=daniel.vetter@ffwll.ch \
--cc=daniel.vetter@intel.com \
--cc=dri-devel@lists.freedesktop.org \
--cc=jy0922.shim@samsung.com \
--cc=kraxel@redhat.com \
--cc=kyungmin.park@samsung.com \
--cc=linaro-mm-sig@lists.linaro.org \
--cc=linux+etnaviv@armlinux.org.uk \
--cc=linux-media@vger.kernel.org \
--cc=piotr.oniszczuk@gmail.com \
--cc=stable@vger.kernel.org \
--cc=sw0312.kim@samsung.com \
--cc=tzimmermann@suse.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.